CVE-2017-5649: Apache Geode information disclosure vulnerability
Severity: Medium
Base score: 5.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)
Vendor:
The Apache Software Foundation
Versions Affected:
Geode 1.1.0
Description:
When a cluster has enabled security by setting the security-manager
property, a user should have DATA:READ permission to view data stored
in the cluster. However, if an authenticated user has CLUSTER:READ
but not DATA:READ permission they can access the data
browser page in Pulse. From there the user could execute an OQL query
that exposes data stored in the cluster.
Mitigation:
1.1.0 users should upgrade to 1.1.1
Credit:
This issue was discovered by Jinmei Liao.
References:
https://www.apache.org/security/